I run a hub-and-spoke architecture network that uses two different VPN technologies to connect the spoke sites to the corporate hub. Some spoke networks use Windows NT RRAS and the other spokes use Red Creek Ravlin VPN boxes. All users are routed to the corporate hub and out the corporate firewall for Internet access.
We used to have a Velociraptor firewall and recently switched to a PIX 515E. Since the switch, several users begain complaining of not being able to load and/or connect to certain web sites. After some troubleshooting I have found that it is only the RRAS users that are experiencing these problems. Ravlin connected users seem to be fine. We did not have these problems with the Velociraptor.
I would like to know if maybe the fact that this traffic reached the PIX after being tunneled via PPTP has something to do with this? One interesting note is that RRAS/PPTP user traffic passes thru the PIX twice. Since the RRAS server is behind the PIX and has no interface with a public IP, incoming RRAS traffic is statically NATted to the RRAS server thru the PIX. If the traffic is Internet bound then it is routed back to the PIX for outbound translation. This double pass thru the PIX is not true of the Ravlin box which has one interface on the public network outside the PIX and one on the private side. What makes this really wierd is that it only happens with a handful of Web sites. Any suggestions?
Do you see anything in the syslog on the PIX when users try to go to these few sites? My first thought was an MTU issue, but that would be strange to just a few sites. Are you doing any URL filtering on the PIX via a WebSense or N2H2 server?
I think the best bet is to set up logging and see what the PIX is telling you.
I did setup a syslog and it shows the clients resetting the connection but nothing else in the log seems to indicate why. I thought the next step would be to do some packet capturing but I wouldn't know how to interpret the results anyway. Since its only a handful of sites management has told me not to spend to much time on it but I am concerned that more sites will pop up with this problem. Maybe we can mess with the MTU just to see what would happen? Is this something that I would do on the PIX or the clients?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :